10 useful and quick tips to enhance the security of your new WordPress website

You’ve been working on it for the last couple of months and, even if you’ve missed some nights out with your friends, and have slept a few hours less, you’re done: your new WordPress website is now ready to go live.

It's been a lot of time and work, I know, and it’d be a nightmare having to deal with security issues as soon as you make it available on the Web. So you’d better tweak some aspects right from the beginning and go live with an improved WordPress website.

10 quick tips for improving the security of your new WordPress website

WordPress security is an important aspect you’ll have to take into account for every action that affects your site, starting from the plugins you choose to install, the themes you’ll end up using and other aspects that don’t come to your mind as frequently as they should.

Security is a serious thing and an ongoing process that you should always keep under your radar. Think of the following security tips as layers you’re adding to your website, making it harder to be hacked and violated.

Don’t use “Admin” as your administrator username

“Admin” is the most common username for WordPress admin users. Everybody knows this, thus hackers. To make their life a little more complicated, you should prefer any other username over “admin” and pick one with capital letters. Since you already have a WordPress website, you should now:

create a new user with administration privileges

if your previous "admin" user was your only user, assign all blog posts and pages to the new admin user you just created

delete the old “admin” user from your WordPress

This will give hackers hard times when trying to log-in on your website, but, of course, it’s just one piece of the pie.

The other being your password and its complexity. Do you know which passwords were the most common in 2014? You won’t believe it: “123456”, “password”, “12345678”, “qwerty” and “123456789” are the 5 most used passwords. This data have been collected and shared by security consultant Mark Burnett, who scout for and gathered 10 million passwords from the Web over a period of several years.

Long story short: passwords are vital to your WordPress security. That’s why you need to start using passwords that have the following features:

If you don’t know how to come up with a password so strong, just use a service like strongpasswordgenerator.com or try a phonetic password generator, which will do the work for you. And if you want to take your users and passwords management to a new level, use services like LastPass, which will be able to generate strong and long passwords as well.

Use 2-factor authentication for login

Two-factor authentication is a combined way to provide login credentials to a service, oftenly in the form of something you know and something you have, like a disposable string of numbers. Apple iCloud, Google, Dropbox, and many other services provide you with the possibility to use this more secure way to log in, so why wouldn’t you with your WordPress website?

To efficiently implement a two-factor auth, you should use one of the many plugins available . Two interesting plugins that give a “twist” to two-factor auth are Rublon, which is also an email-based two-factor authentication, and Clef, which uses the camera of your phone.

Disable login hints

Any time you type wrong, non-existent username or just an incorrect password on your WordPress website’s login form, you’ll get a hint telling you either your username is wrong, or your password doesn’t match with that username.

Maybe it never occurred to you but this is golden for those hackers looking to break into your website. That’s why you should get rid of such information by disabling it with a script within your functions.php file:

Before downloading any plugin from anywhere, you should always look for:

reviews, comments or any other opinions related to the plugin and the plugin’s author

if support is provided and in which form (free vs. paid)

if plugin’s author is responsive to users

Never forget: before downloading a plugin, do a full back of your website and database.

Keep your WordPress environment updated

Each time a security issue pops up, a patch is on its way, meaning that keeping a website up and running securely is a continuous commitment. Having all your files updated to their latest available version is an excellent way to increase the security of your WordPress website.

From WordPress 3.7+, minor and security updates happen automagically in your WordPress installation, while to perform major updates to WordPress core files, plugins and themes you’ll need to either perform them via your dashboard or FTP.

When talking about keeping all your files updated, there's more than just security enhancements like improved performances, bug fixes, better compatibility and new features.

Keep your WordPress clean

In an updated WordPress environment, there won’t be any room for “unused” stuff such as deactivated plugins and old themes, which might bring in some security issues since you haven’t been using them recently and probably forget to update.

Disable trackbacks

Pingbacks and trackbacks notify that your content got linked from another web page, and many users don’t care about them so much. Via trackbacks, hackers could cause massive distributed denial-of-service attack (DDoS) attacks or could use other “clean” WordPress sites to do their dirty work.

So for any new WordPress website, it’s important to disable this feature by going to Settings > Discussion and then uncheck the “Allow link notifications from other blogs (pingbacks and trackbacks)” option.

Set file and folder permissions to correct values

File and folder permissions are set of rules that “specify who and what can read, write, modify and access them” in your WordPress website. These permissions are provided with a three-number value to any files and folders.

Since these values can regulate which users can modify (or even delete) files and folders, you’d need to set them up with the following values:

folders = 755

files = 644

Also be warned never to use a permission mode of 777 for any of your files or folders because it would enable any users full privileges among your files and folders. For more information about permissions mode, please refer to this page.

Prevent directory browsing (indexing) of your WordPress website

When your web server doesn’t find an index.php or index.html file, it’ll display a page showing the contents of such directory, making important information related to your installed plugins, themes, and so on, easily available to anybody.

You can check to see if directory browsing is enabled on your site by creating a new folder containing a simple text file and then visit the directory via your web browser. If it displays a link to the text file, then directory browsing is enabled. If you get a message like “Page Not Found”, “Forbidden” or just a blank page, then directory browsing is disabled.

Since the goal here is to make your WordPress website more secure with quick tweaks, it’s helpful to prevent that information from being quickly known by hackers. To do so, you should add to your .htaccess file this line:

Options All -Indexes

Make sure that both your wp-content/themes and wp-content/plugins folders have a blank index.php file in it too.

Your turn now

Keeping your website secure will be one of the most important elements on your to-do list since it’s an ongoing and neverending process. These quick and useful tips are the very beginning for any new WordPress sites and, of course, there are many (and more robust) ways you could significantly improve the security.

That’s why I’d like to ask you: which tactics, plugins, and tips do you think are great to enhance the security of a WordPress website?

Nowadays (in the days of auto-updating) the web-user and the ftp-user can no longer be distinct: PHP code must be able to change PHP code. Either that or one will spent a lot of time granting “7“-rights to the-other-user to fix issues. In other word’s the „suexec“ concept IMHO is not longer doable, and if it is, one can set the group rights even to 0, not just 5.

【Ƿ】 Fran Kee

What I do miss is normal .htpasswd auth for wp-admin/ and /wp-login.php:

Great tips. Very helpful for the newbies in WordPress. I have few years of experience using WordPress, but some of the points mentioned in this article are new ideas for me. When I started working on the WordPress sites, I thought it was the most secure platform but later I came to know that even WordPress is vulnerable. I used to conduct regular site audits and pen testings. Companies like NCI in Mississauga helped me to secure my WordPress sites.

Nice article, there’s a lot of great tips here!! Thank you very much for this. I found it really very interesting. I found an interesting article regarding wordpress here you can find it https://goo.gl/VpXZao

Amica Catherine

Indeed, your views on WP security are very appreciable.

Vincenzo Re

All useful tips, but is missing a tip that I think once implemented allows you to sleep soundly. It is to enable a changed files monitoring service.

About a year ago my site was hacked and someone managed to upload a malicious shell. Luckily, however, I had activated the service https://monitorwebsitefilechanges.cloud who alerted me of the intrusion. Knowing which files had been uploaded, I could clean up the site and analyze a limited time window of the access log to find out in which way they had entered.

Luca

Hi, is useful install a security plugin like “WP Security Optimizer” (https://wordpress.org/plugins/wp-security-optimizer/). It prevent hackers to sabotage your rankings in search engines. Elude attackers that exploits your website and fight Negative SEO attacks made using Acunetix and WPScan and other penetration testing toolkit. Implement features preventing users to be enumerated, and in particular enumeration of installed themes (wpscan –enumerate t) and plugins (wpscan –enumerate vp), generating false positives and forwarding an alert to the site administrator when it detects a scan. And finally, can verify corrupted and infected PHP files stored into “wp-admin” and “wp-includes” folders. regards

Brandon Graves

Keeping a strong password for your website is a must, the other thing is back up your site regularly is antidote for anything unexpected happens. Great work you do here I appreciate your work.